Strange so-status content #12369

UMWP · 2024-02-16T16:03:19Z

UMWP
Feb 16, 2024

Version

2.4.20

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

300 GB

Storage for /nsm

3,7 TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello.

I have installed additional sensor node from securityonion-2.4.20-20231006.iso in distributed deployment (Linux fwd2 5.15.0-202.135.2.el9uek.x86_64 #2 SMP Fri Jan 5 15:44:16 PST 2024 x86_64 x86_64 x86_64 GNU/Linux).

On management node I have accepted the salt key for that new forward node. However when I try to check it's status by so-status command it says: "so-status not yet available". After some time I've checked again, and again - but it's still the same.

Finally I've also checked /sbin/so-status and /usr/sbin/so-status and both files belong to root:root and are only 42 bytes:
-rwxr-xr-x. 1 root root 42 Feb 15 19:53 /sbin/so-status
and their content is as follow:
echo 'so-status not yet available'
exit 0
But on others existing forward/sensor nodes these files belong to socore:socore and are much, much bigger:
-rwxr-xr-x. 1 socore socore 6.1K Aug 27 15:59 /sbin/so-status

What are these strange so-status files? Where are they from? The same issue is with sensor node installed from securityonion-2.4.40-20240116.iso

Regards
Mirek

minion.txt

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

reyesj2 · 2024-02-18T03:03:46Z

reyesj2
Feb 18, 2024
Maintainer

You had mentioned both 2.4.20 and 2.4.40. Is the manager running 2.4.40?

From your sensor are you able to run sudo so-checkin ? What is the output

0 replies

UMWP · 2024-02-19T07:04:42Z

UMWP
Feb 19, 2024
Author

Manager is 2.4.20.
sudo: so-checkin: command not found

Very strange, but in /sbin and /usr/sbin I have only 2 so-* commands:
-rwxr-xr-x. 1 root root 42 Feb 15 19:53 /sbin/so-status
-rwxr-xr-x. 1 root root 40 Feb 15 19:53 /sbin/so-test

so-test is (similar to so-status) only 2 lines:
echo 'so-test not yet available'
exit 0

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Strange so-status content #12369

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strange so-status content #12369

Uh oh!

UMWP Feb 16, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments

Uh oh!

reyesj2 Feb 18, 2024 Maintainer

Uh oh!

UMWP Feb 19, 2024 Author

UMWP
Feb 16, 2024

reyesj2
Feb 18, 2024
Maintainer

UMWP
Feb 19, 2024
Author